PacktLib: OpenVPN 2 Cookbook

OpenVPN 2 Cookbook


About the Author

About the Reviewers


Point-to-Point Networks


Shortest setup possible

OpenVPN secret keys

Multiple secret keys

Plaintext tunnel


Configuration files versus the command-line

Complete site-to-site setup

3-way routing

Client-server IP-only Networks


Setting up the public and private keys

Simple configuration

Server-side routing

Using 'client-config-dir' files

Routing: subnets on both sides

Redirecting the default gateway

Using an 'ifconfig-pool' block

Using the status file

Management interface


Client-server Ethernet-style Networks


Simple configuration—non-bridged

Enabling client-to-client traffic



Checking broadcast and non-IP traffic

External DHCP server

Using the status file

Management interface

PKI, Certificates, and OpenSSL


Certificate generation

xCA: a GUI for managing a PKI (Part 1)

xCA : a GUI for managing a PKI (Part 2)

OpenSSL tricks: x509, pkcs12, verify output

Revoking certificates

The use of CRLs

Checking expired/revoked certificates

Intermediary CAs

Multiple CAs: stacking, using --capath

Two-factor Authentication with PKCS#11


Initializing a hardware token

Getting a hardware token ID

Using a hardware token

Using the management interface to list PKCS#11 certificates

Selecting a PKCS#11 certificate using the management interface

Generating a key on the hardware token

Private method for getting a PKCS#11 certificate

Pin caching example

Scripting and Plugins


Using a client-side up/down script

Windows login greeter

Using client-connect/client-disconnect scripts

Using a 'learn-address' script

Using a 'tls-verify' script

Using an 'auth-user-pass-verify' script

Script order

Script security and logging

Using the 'down-root' plugin

Using the PAM authentication plugin

Troubleshooting OpenVPN: Configurations


Cipher mismatches

TUN versus TAP mismatches

Compression mismatches

Key mismatches

Troubleshooting MTU and tun-mtu issues

Troubleshooting network connectivity

Troubleshooting 'client-config-dir' issues

How to read the OpenVPN log files

Troubleshooting OpenVPN: Routing


The missing return route

Missing return routes when 'iroute' is used

All clients function except the OpenVPN endpoints

Source routing

Routing and permissions on Windows

Troubleshooting client-to-client traffic routing

Understanding the 'MULTI: bad source' warnings

Failure when redirecting the default gateway

Performance Tuning


Optimizing performance using 'ping'

Optimizing performance using 'iperf'

OpenSSL cipher speed

Compression tests

Traffic shaping

Tuning UDP-based connections

Tuning TCP-based connections

Analyzing performance using tcpdump

OS Integration


Linux: using NetworkManager

Linux: using 'pull-resolv-conf'

MacOS: using Tunnelblick

Windows Vista/7: elevated privileges

Windows: using the CryptoAPI store

Windows: updating the DNS cache

Windows: running OpenVPN as a service

Windows: public versus private network adapters

Windows: routing methods

Advanced Configuration


Including configuration files in config files

Multiple remotes and remote-random

Details of ifconfig-pool-persist

Connecting using a SOCKS proxy

Connecting via an HTTP proxy

Connecting via an HTTP proxy with authentication

Using dyndns

IP-less setups (ifconfig-noexec)

New Features of OpenVPN 2.1 and 2.2


Inline certificates

Connection blocks

Port sharing with an HTTPS server

Routing features: redirect-private, allow-pull-fqdn

Handing out the public IPs

OCSP support

New for 2.2: the 'x509_user_name' parameter